(forking this to a new subject) On Thu, Aug 29, 2019 at 5:54 PM Kirk Hall via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> What the heck does it mean when sometimes you say you are posting "in a > personal capacity" and sometimes you don't? To me, it always appears that > your postings on the Mozilla list are always the same as your postings on > the CA/Browser Forum list and are always for the purpose of promoting [your > employer's] policies and objectives. Is there really a difference? > Kirk, You ask a very important question that deserves a clear answer. Yes, there is a difference. If I'm posting on behalf of my employer, the post can be attributed to my employer and could be quoted as $EMPLOYER says ... while if I'm posting as an individual, this is not true. Many people, including myself and many others who participate in this group, work for companies they do not control. These companies frequently have specific policies for their employees about who can speak on behalf of the company and under what circumstances they can speak on behalf of the company. See, for example, https://www.ibm.com/blogs/zz/en/guidelines.html The concept of authority to represent a legal entity and the fact not everyone who works for an entity has authority to commit the entity to agreements is fairly well known. The CA/Browser Forum EV Guidelines recognize this when require that the "CA MUST verify that the Contract Signer is authorized by the Applicant to enter into the Subscriber Agreement (and any other relevant contractual obligations) on behalf of the Applicant". I expect that many questions would come up if someone indicated they are employed as a summer intern yet authorized to obligate their employer to an agreement. You point out that frequently personal opinions and the opinions of one's employer align. This is not all that surprising to me. What it tells me is that the poster is probably influential in their organization and has convinced those who determine the position of the legal entity to align the position with their thinking. IBM says in their guidelines "the following standard disclaimer should be prominently displayed: 'The postings on this site are my own and don't necessarily represent IBM's positions, strategies or opinions'" when posting. Note that it doesn't say "do not represent", rather "do not necessarily represent". There are cases were an employee's personal opinions will be aligned with their employer and vice-versa; this does not mean they always will align. Another way to think about this is that participation in Mozilla may easily exceed the duration of one's employment with a given employer. Looking back, my first bug filed with Mozilla was 21 years and several employers ago (https://bugzilla.mozilla.org/show_bug.cgi?id=7368) and my first certificate related bug was filed before I worked for any part of Amazon ( https://bugzilla.mozilla.org/show_bug.cgi?id=546176). I can assure you I wasn't speaking on behalf of those employers then and I'm not speaking for my current employer in this post. I've tried to make clear for whom I'm speaking by using different email addresses; @gmail.com for personal posts and @<employer>.com for the rare times I'm speaking on behalf of my employer. As you have pointed out, identity is important in order to know to whom you are interacting. Thanks, Peter (not speaking for my employer) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
